標籤:deb 比較 info 串連 array ida 做了 好的 方法
2018-04-26
DDCTF re1:(baby_MIPS) 參照夜影大佬和henryZhao的wp.
1. 利用qemu運行MIPS程式:
baby_mips是MIPS指令集上的程式,IDA只能靜態分析,不能debug。採取的方法是在linux機上安裝qemu模擬器,利用qemu來運行MIPS指令程式。經嘗試,baby_mips是小字端程式,使用指令,運行程式。運行效果是輸入16個變數,然後報錯非法指令。
如果要利用IDA調試,使用指令,監控23946連接埠,原理:qemu -g port指令開啟一個gdbserver。port另一端可以由IDA或gdb串連調試。
2. 花指令的識別和去除:
上述遇到了非法指令,查看IDA反編譯代碼發現大都在EB02開頭的指令處觸發非法指令錯誤。並且有很多未解析的程式碼片段資料,考慮花指令。寫idc指令碼去除EB02開頭指令,以下代碼來自夜影大佬:
1 #include<idc.idc> 2 3 static matchBytes(StartAddr,Match) 4 { 5 auto Len,i,PatSub,SrcSub; 6 Len = strlen(Match); 7 8 while(i<Len) 9 {10 PatSub = substr(Match,i,i+1);11 SrcSub = form("%02X",Byte(StartAddr));12 SrcSub = substr(SrcSub,i%2,(i%2)+1);13 14 if(PatSub != "?" && PatSub!=SrcSub)15 {16 return 0;17 }18 19 if(i%2 ==1)20 {21 StartAddr++;22 }23 i++;24 }25 return 1;26 }27 28 29 static main()30 {31 auto StartVa, SavedStartVa,StopVa,Size,i,j;32 33 34 StartVa = 0x400420;35 StopVa = 0x403233;36 37 Size = StopVa - StartVa;38 SavedStartVa = StartVa;39 40 41 for(i=0;i<Size/4;i++)42 {43 if(matchBytes(StartVa,"EB02????"))44 {45 Message("Find%x:%02x%02x%02x%02x\n",StartVa,Byte(StartVa),Byte(StartVa+1),Byte(StartVa+2),Byte(StartVa+3));46 for(j=0;j<4;j++)47 {48 PatchByte(StartVa,0x00);49 MakeCode(StartVa);50 StartVa++;51 }52 }53 else{54 StartVa = StartVa+4;55 }56 }57 58 AnalyzeArea(SavedStartVa,StopVa);59 Message("Clear eb02 Opcode Ok");60 }
對於idc的編寫不熟,附上一個連結:IDA的調試指令碼idc
其包含一些常用的函數便於尋找。
去除完花指令,IDC中AnalyzeArea似乎沒有沒有起作用,還是沒有完全將其識別為整一個函數體。Edit function 將其設定為一個函數後,通過函數跳轉圖可以看到大概邏輯,但是還是無法F5大法。
3. JEB2-mips(反編譯MIPS):
嗯,夜影大佬的清洗代碼看不動,就看了Web大佬henryZhao的re題解,菜哭/(ㄒoㄒ)/~~,知道了jeb2新增了mips反編譯功能,下載支援mips的jeb2試用版,試圖反編譯mips。得到,
可以看出是一個方程組求解問題,手敲資料寫python解方程組。
1 import numpy as np 2 from scipy.linalg import solve 3 A=[ 4 [-56251,64497,-61787,29993,-16853,2147,-51990,-36278,-34108,-1148,1798,-43452,-16150,-56087,-17677,-41752], 5 [-39354,63754,50513,2396,-37448,43585,19468,-4688,-62869,-20663,41173,61113,30862,38224,-601,53899], 6 [26798,-58888,14929,-21751,-12385,55961,-20714,24897,40045,9805,25147,39173,-21952,-42840,37937,-8559], 7 [-2789,53359,16747,54195,-30020,39916,-32582,60338,13971,27307,-30484,47826,37554,64914,-1745,27669], 8 [40374,6523,13380,-53413,-1194,7796,-31815,-51866,-40252,-56883,57811,23278,-5785,61525,-6984,-7335], 9 [-57052,-64573,-62351,2628,21493,12939,-60006,435,15009,-4091,22743,4901,48803,-43203,5263,-32994],10 [54760,41053,22537,-56473,46316,19787,-40180,2088,2044,26575,-5207,31098,-23838,21642,46750,13706],11 [-40176,-43382,48718,-25423,21452,-36714,-24119,-13231,-52192,49742,54709,-32636,20233,21460,48733,15155],12 [38446,-880,-2443,50487,-46973,-56178,-37138,-9079,-19096,-60988,-1823,-21538,43896,-4141,-19370,-47796],13 [5176,18400,-53852,36119,-32120,47724,17154,5390,-29717,14471,8755,1432,-45518,-8148,-56623,-48254],14 [30203,-50712,-27560,-16075,3618,590,44305,20581,33442,-7743,-43075,-16234,45723,-44899,42321,49264],15 [42705,-32299,-19156,5594,28870,8059,58103,-60723,-32112,-7128,45985,-24915,63910,18427,-51408,22619],16 [-57517,20738,-32286,55995,26666,37550,-51489,13733,32455,-2897,-39622,-54523,50733,-24649,-17849,-62326],17 [-15716,-38264,64476,-37524,-61551,13536,12920,1407,-63767,-55105,-46543,-36562,-20712,2063,-6668,9074],18 [47490,18611,52416,3107,32177,-41780,11008,7223,5652,881,26719,-28444,46077,-272,-32475,-9432],19 [-58938,-35689,35708,44689,45902,36614,38550,731,49990,6727,61526,-35587,-39199,-43886,-56409,-25519],20 ]21 B=[-24232262,17175305,8705731,26962228,-6384428,-15459013,19554563,-188243,-19590071,-12754495,6442406,-2869966,-4805280,-18964176,8938201,3896470]22 23 a = np.array(A)24 b = np.array(B)25 x =solve(a,b)26 print(x)
最終得到flag:
總結:
花指令的識別,花指令的清洗(idc指令碼),
MIPS程式的反編譯(JEB2),
方程組的python求解(scipy.linalg)。(注意:scipy.linalg求出來的解感覺是近似解,最後的輸入都是取得solve結果的四捨五入解。)
Android xss的調研:
發現幾個比較好的文章,看了一些,先貼上,還沒有實踐,實踐後再寫。
Android:最全面的 Webview 詳解
Android:你要的WebView與 JS 互動方式 都在這裡了
Android:你不知道的 WebView 使用漏洞
其他:
今天還看了一下DDCTF的re2黑箱測試,試著自己做了做,沒做出來,還是要看夜影大佬的wp。學習一下分析資料結構的手段和習慣吧。明天複現了寫。
明日預計:
黑箱測試複現完,總結。
做android webview實驗。
[轉組第2天] | baby_mips和android xss的調研
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
